Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Automatically log user off from Domain after x minutes of inacitivity.

Posted on 2004-09-11
19
Medium Priority
?
2,806 Views
Last Modified: 2012-06-22
How can I configure a domain account so that the domain user is automatically logged off after x minutes of inactivity? Is it possible to create a group policy for this?

I want to configure and implement this from my server, since we occasionally have a problem with employees with quite high privilages who forget to log out and therefore present a security risk.

Sheldon

0
Comment
Question by:Sheldonh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 3
  • +3
19 Comments
 

Expert Comment

by:AndyBeamish
ID: 12033824
I'm assuming you're running Windows 2000 or better on the servers and workstations...

Can I suggest an ultra-simple solution: put the screen saver on, for example, 5 minutes and tick the box for "On resume, password protect". Whilst this doesn't explicitly log the user out from the network it does lock the machine until a user or admin password is entered.

Going a stage further you can lock down the screen saver options under gpedit. Have a browse to User Configuration / Administrative Templates / Control Panel / Display. Just make sure the users don't do the usual "password-on-a-post-it" !

Actually, I wouldn't recommend automatically logging off users anyway as they're bound to be half way through some vital report just as they break for lunch :)

Regards,

Andy
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12033928
You can certainly ensure that your users logoff.  We worked on several of these threads already...  here are the links:

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20860048.html

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20878958.html

Good luck..

FE
0
 

Expert Comment

by:naramalai
ID: 12033934
The Automatically log off users when logon time expires, at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, should be re-titled as Automatically disconnect users when logon time expires.

This policy affects the Server Message Block (SMB) component of a Windows 2000 server. When the policy is Enabled, the client sessions with the SMB server are forcibly disconnected when the client's logon hours expires.

STEP:
1) This policy affects all the computers in the domain, unlike Automatically log off users when logon time expires (local), which only affects the computers upon which it is applied.
2) When you configure a user's Logon Hours, they are prevented from logging on during unauthorized times, but they are not disconnected when their time expires?

To forcibly disconnect the user when their time expires, implement one of the following Group Policies:

Automatically log off users when logon time expires at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. This policy affects the SMB component of a Windows 2000 server. When enabled, the policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. This policy effects all the computers in the domain.

Automatically log off users when logon time expires (local) at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. This policy is the Local Computer policy default.

3) When you enforce logon hours restrictions by using to Group Policy to navigating to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options and enable Automatically log off users when logon time expires, users whose logon times settings prevent logon at this time are NOT permitted to log on. However, users who are logged on and should be logged off are not?

If this happens in your domain, try the following:

1. Open a CMD prompt.

2. Type:

net accounts /forcelogoff:<minutes> /domain

where <minutes> is the number of minutes after the log on time expires that a user will be forced off. The user will receive a warning message <minutes> before the forced log off.

NOTE : The default setting for the /forcelogoff switch is no. When no is set, forced logoff is prevented. To see the current setting, open a CMD prompt and type net accounts. If this returns:

Force user logoff how long after time expires?: Never

then forced logoff is prevented. I would NOT set <minutes> to 0.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12033970
Just a comment nara...   EE recommends that when you copy something that you give credit to the original site...

For instance:  (if this is where you got that..  it is linked from the threads I posted above..)

http://www.jsiinc.com/subl/tip5500/rh5566.htm
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12035628
You could try something along these lines:

http://www.jsiinc.com/subh/tip3500/rh3590.htm
0
 

Expert Comment

by:exids
ID: 12035751
Why don't you just setup the screen saver to password protect the system after a certain amount of time?  You can even do it in group policy.  It's so much less complicated.

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prdb_cdk_ugxd.asp
0
 

Expert Comment

by:exids
ID: 12035754
Read the first post again
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12036088
Yes, but he is asking how to force a logoff....  There are good reasons to do this, other than just security...   Alternatives are always nice to add, but we should first focus on his primary question..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12036137
Why would you copy the same link I provided above..????   :)
0
 
LVL 1

Author Comment

by:Sheldonh
ID: 12042162
Hi all

Thank you all for your replies. A few things to clear up:

First, A lot said that I should use the screensaver password thing. Can't, when computer resumes, then only the administrator or the SAME USER that was logged on when the screensaver came on may resume the session. This is a problem, because it is not always the case that the same user uses the same computer all the time.

Second, A lot was also said about the force logoff of users AFTER LOGON TIME EXPIRES. Well, we don't have set logon times and because we are in a multi-user "per computer" environment, this won't help anyway. If I say that you can only logon before 17:00 everyday and it is after 17:00 and a user is still logged on then will it only automatically log off after the set time period after 17:00. What if the user of a computer walks away for 30 minutes at say, 13:00, then it is still before 17:00 and he won't be logged off automatically.

Now, if user walks away and another user sits in front of that same computer after say 30 minutes, then that computer should already be logged off, so that the other user can log on.

Now I have followed some of the links provided, and I have seen some discussions about

"Automatically log off users" and/or "Amount of idle time required before disconnecting session"

but I can't find the above options. I do however find the "Amount of idle time before suspending network session" option. I have tried to apply this to the domain and it doesn't seem to work. I applied it to the domain under "Domain Security Policy" and under GPO. I haven't seen any result. All the other policy settings that I apply are working, except this one.

Here is a Microsoft help description for "Amount of idle time before suspending network session"

Description
Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.

Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.


I understand this as the user's session being suspended, and then later automatically being started again, but for the same user. I don't think this is the same as logging off, I could be wrong.

There is also an option under a USER's Account properties under the "Sessions" tab for "Idle Time", and then underneath that the action to take after the set idle time. But that didn't work either. If it did work, then that would mean I would have to set this option for each and every user, about 200+ times...!

So, I need a GPO setting, that will automatically LOGOFF a user after a set time so that any other user will be able to log onto that same machine. No admin accounts needed etc...

Thanks again
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 1000 total points
ID: 12043715
Did you try this..  Unfortunately it is not a GPO, but it does reflect one way to go about this...

Workstations that are left logged on may represent a security risk for an organization. Many networks allow users to leave programs running and to remain logged on to their computers for an undefined time period. The Microsoft Windows 2000 Resource Kit includes the Winexit.scr tool that you can use to automatically quit a user's programs and to log the user off of the workstation.

How to Configure the Winexit.scr Screen Saver:

Use Windows Explorer to locate the Winexit.scr file in the Windows 2000 Resource Kit folder on your hard disk.
Right-click the Winexit.scr file, and then click Install.
The Display Properties dialog box appears with the Screen Saver tab active. The Logoff Screen Saver entry is automatically selected. Click Settings.
Select the Force application termination check box to force programs to quit.
In the Countdown for n seconds box, type the number of seconds for which the logoff dialog box appears before the user is logged off.
In the Logoff Message box, type the message that appears during the logoff countdown. Click OK.
In the Display Properties dialog box, click Preview.
You see the Auto Logoff dialog box. It displays the logoff message and the countdown timer. Click Cancel.
Click OK.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12043720
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12043740
And here is another article that addresses the Winexit method..

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=4541
0
 
LVL 1

Author Comment

by:Sheldonh
ID: 12052945
Hi All

Thank you FE for pointing out Winexit.scr to me. I was aware of this feature before, but wanted a better way of implementing this on a domain. I have come to realise that Microsoft actually does not have such a feature. So they released Winexit Screensaver with a Resource Kit. It is still a bit of a hassle to have the screensaver installed on all machines, and then there is also a bug in the screensaver that can be fixed by editing the registry of EACH MACHINE!! Permissions have to be set...

So, I will use this as my solution, seeing that there is nothing else.

Thanks for nothing Microsoft!!!

Cheers

Sheldon grabs the nearest vine and exits Tarzan style...
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12053739
Sheldon,

If you would like some help in scripting the registry change in your startup/login scripts, just let me know.

Jared
0
 
LVL 1

Author Comment

by:Sheldonh
ID: 12053800
Thanks JL

I will do so...

Cheers
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12054385
Yea..  MS should address this..  Perhaps is Service Pack 10..???  :)

But thanks...  and good luck with the deployment..

FE
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question